Incident Response, Zero trust

The combination of zero trust with digital forensics offers a near-ironclad approach to insider activity

Today’s columnist, Perry Carpenter of KnowBe4, says hackers leverage the “Halo Effect” to impersonate reputable brands like Microsoft. (Stephen Brashear/Getty Images)

While zero-trust has become a more accepted cybersecurity strategy, it’s far from mature and foolproof.

But it’s clear that the zero-trust approach has gained traction among security pros. A 2021 report published by Microsoft found that zero-trust – the idea that all traffic gets authenticated before it enters the network – was the No. 1 priority for security decision makers and 76% of them are currently in the process of implementing it.

While zero-trust has proven effective, security leaders shouldn’t be lulled into a false sense of security. Zero-trust may offer a strict identity verification process that significantly reduces cyber-risk from internal users, but it’s still highly vulnerable to nefarious activity. Insiders can easily bypass controls such as multi-factor authentication and least privileged access if they have access to the data they’re targeting.

Software engineers, for example, can access code and other valuable intellectual property. A zero-trust approach alone won’t stop insiders from copying this data to external cloud storage or onto a USB drive. This should especially concern organizations at a time when the average global cost of insider threats has risen to $11.45 million, according to the Ponemon Institute.

Knowing these weaknesses can be exploited, organizations incorporating zero- trust must continue to plan for the inevitability of an insider attack by bringing digital forensic technologies into their zero-trust strategies. Together, these preventative and post-incident strategies and solutions give organizations the potential to develop a near-ironclad approach to insider activity.

Before using digital forensics in a zero-trust environment, security teams need to ensure the two technologies are properly configured to work with one another. Zero-trust may block security teams from using remote acquisition technology that operates in client-to-node traffic. Forensic analysts can use remote acquisition technology to covertly connect to target endpoints to investigate and respond to insider activity and other cybersecurity incidents such as ransomware. If this technology no longer functions, organizations may be more vulnerable in the wake of an attack because they would lose their ability to respond in a timely and effective fashion.

After functionality has been sorted, organizations can use a two-pronged approach to protecting their digital assets. While zero-trust helps limit security incidents, digital forensics gives organizations the ability to respond to those that still occur by identifying attackers, determining what data has been compromised and potentially even recovering it.

In the example of a public data leak, zero-trust would give forensic analysts a solid foundation to begin their investigations by narrowing down the list of suspects to the employees that had access to the leaked data. Instead of collecting devices and tipping off an insider that they’re being investigated, these analysts will use remote acquisition technology to covertly connect to the devices of employees and build a timeline of events in relation to the leaked data. An investigation will quickly reveal, for example, that a certain employee downloaded a document, exfiltrated it using a USB drive and posted it onto a social media website.

There are also times where it’s appropriate to conduct digital forensic scans without the prior knowledge of an insider incident. Each time an organization with valuable IP or substantial personal identifiable information offboards an employee, they put themselves at risk of suffering data exfiltration, even with a zero-trust approach. To manage the risk associated with the process, many organizations are now performing pre-emptive digital forensic scans on outgoing employees. Instead of focusing on one document, forensic analysts widen the scope and review all USB connection history, cloud storage, email, recently accessed files and folders, browser history, and other sources of evidence to identify insider threats.

Beyond identifying insiders, organizations may seek to recover the data that was stolen. Zero-trust and data loss prevention can limit the abilities of malicious insiders to delete files on company systems and so security teams must regain control of copies. Digital forensics may not be directly capable of this, but it does find the critical evidence required for organizations to recover exfiltrated data in human resources and judicial proceedings. These cases are built on the evidence collected by digital forensic tools and because the methods used by the technology are forensically sound, repeatable and preserve the proper chain of custody, they’ve been proven reliable in state and federal courts.

There are valuable cybersecurity lessons to learn from the way zero-trust operates. The technology wisely does not trust its own users. Organizations implementing it would be wise to develop a similar mindset about zero-trust itself. Security teams can’t rely on one preventative measure to safeguard an organization’s most valuable data. Cybercriminals will always find a way to breach those initial lines of defense. But when companies combine zero-trust with a post-incident strategy that leverages digital forensics, organizations can remain confident that they’re prepared to face any challenge brought forward by an insider.

Adam Belsher, chief executive officer, Magnet Forensics

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.